CPD: Financial consumer protection – part 2 – the art of the conversation (having, recording, storing, using, protecting)

From

Successful adviser/client relationships are based on trusted conversations.

If the essence of the financial adviser/client relationship is trusted conversations, then the way the outcomes of those conversations are recorded, secured, and shared, is of paramount importance. Protecting clients’ interests through the management of their personal information is one of the core consumer protection pillars across any business sector.

In the context of financial advice, a combination of regulation and professional body guidance applies to customer information, designed to protect the interests of customers as they navigate a complex financial landscape, while at the same time, increasing confidence and trust in financial advice and those who provide it. In this second article in a two-part series, we explore the important financial consumer protection mechanisms inherent in the processes underpinning the day-to-day operations of a financial planning practice.

Advisers take note: good record keeping protects your clients

The accurate recording and storing of adviser/client interactions – and the ability to access and call upon that information in the future – is central to the advice process. It allows verification of instructions and evidences any subsequent variations to those instructions. It facilitates the tracking of progress against plans and helps clients understand the services they have received, and the fees charged for those services. Accurate records can also help jog memories and minimise misunderstandings and help settle any disputes before they are escalated (and suck up more resources).

As such they are a central pillar of financial consumer protection and robust governance.

What does the law say about record keeping?

A core – stated – objective of the FASEA code is to lay down standards in the area of client care, and the keeping of accurate and comprehensive records is key to caring for clients and protecting their interests.

FASEA Standard 8 governs financial planner record keeping[1], requiring adviser “records of clients, including former clients, are kept in a form that is complete and accurate.”

The FASEA explanatory statement further clarifies that advisers need to keep records of all the advice and services they provide[2].

That means, rather than recording a bare minimum of personal information for each client, advisers must keep and file every piece of correspondence between themselves and their clients. This means physical documents, and also communications like emails, voice/video recordings and any notes taken during client meetings.

Keeping clear, accurate and complete records also evidences adviser compliance with other FASEA requirements around informed consent and best interests (consumer protection mechanisms discussed in our first article in this series), including Standard 2 (acting with integrity and in the best interest of your client) and Standard 5 (your client has understood the advice and recommendations you’ve given them).

In the course of ‘knowing your client’, and in order to give the best quality advice, advisers must gather a lot of information, encompassing:

  • current circumstances
  • broader, long-term needs and likely circumstances
  • family members’ broader, long-term needs and likely circumstances;
  • risk tolerances;
  • money attitudes; and
  • financial and lifestyle goals

But it’s not just the ‘what’, it’s also the ‘how’, and the ‘how long?’

FASEA Standard 9 relates to the accuracy of your advice, which in turn is underpinned by the accuracy of your records.

Industry commentators have long been critical of the quality of records kept by financial advisers, fearing they are often too vague to stand up to scrutiny by the regulator. As one compliance expert implored advisers[3]:

“I don’t want to see general comments [about your clients]. I want you to tailor it to them. They want to go on a holiday? Big deal. They want to go around Australia for 12 months and spend $50,000… I want to hear what they said, in their own words.”

But recording this information isn’t the end of the process. Advisers must also ensure that client protection is at the forefront in the way they use and store this information.  Specifically, this must be done in line with Australian Privacy Principles (explained in more detail below). Additionally, ASIC requires client records are kept for a period of 7 years from the time when personalised advice was given.

It’s 7 years, bad luck! ASIC and record retention

ASIC Class Order (CO 14/923) requires that specified records are

  • kept for 7 years after the day the personal advice was provided to the client; and
  • are accessible by the licensee at all times during that period in a way that enables the licensee to produce the records.

This obligation continues to apply even if the financial services licensee ceases to be a financial services licensee during the period that the records are required to be kept and accessible. From an adviser perspective, this applies even if advisers change licensees, or leave the industry altogether.[4]

We are our data: client privacy and confidentiality

“We are now acutely aware, as if all of the sudden, that data matters enormously to how we live”. Colin Koopman[5].

For financial advisers to perform their role effectively, clients must disclose much personal and sensitive information about themselves. This information is enormously powerful, being the essence of our identity, capable of unlocking our assets and wealth, and even shaping our relationships. Unsurprisingly then, one of the most fundamental obligations falling upon financial advisers is to keep client information private and confidential. This obligation is enshrined in both law and applicable professional conduct frameworks.

Australian Privacy Principles

The overarching legal requirements can be found in the 13 Australian Privacy Principles which underpin the 1988 Privacy Act[6]. These principles govern standards, rights and obligations around:

  • The collection, use and disclosure of personal information
  • an organisation or agency’s governance and accountability
  • integrity and correction of personal information
  • the rights of individuals to access their personal information

A breach of an Australian Privacy Principle is regarded as ‘interference with the privacy of an individual’ and can lead to regulatory action and penalties (including a maximum fine currently in excess of $2 million, but likely to increase to $10 million[7]).

Financial Advisers are ineligible for the small business exemption

Whilst small businesses (those with annual turnover less than $3 million) are largely exempt from the requirements of the Act, financial planners do not enjoy this exemption, as they are generally classified as ‘reporting entities’ under Section 6 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

This means, as well as needing to comply with 13 individual Privacy Principles, financial advisers are also legally required to have a Privacy Policy.

Your Privacy Policy[8] must tell clients (and prospective clients)

  • your business name and contact details
  • what kinds of personal information you collect and store
  • how you collect personal information and where it is stored
  • the reasons you need to collect personal information
  • how you use and disclose personal information
  • how clients access their personal information, or ask for a correction
  • how to lodge a complaint if they think their information has mishandled, and how you’ll handle their complaint
  • if you are likely to disclose their information outside Australia and, if practical, which countries you are likely to disclose the information to

A full copy of your privacy policy must be available on request, to customers and non-customers. This means in addition to your website (if you have one), you must be able to provide a hard copy to those people without access to the internet. Similarly, your privacy policy should be referenced in all key advice documents (especially those where you are asking the customer to provide data collection and usage permissions, such as forms).

To the extent that a privacy policy shows the care you take to protect your clients’ data, reminding them you have such a policy should be seen as a positive, and an opportunity to reinforce your reputation as a trusted professional.

Financial professional associations have their own guidelines

More specific requirements relating to protecting the confidentiality of client information can be found in the various professional conduct frameworks applicable to financial advisers.

The FPA in particular codifies a number of requirements in the ‘Document Administration and Confidentiality’ section (Rules 723 to 727) of its Code of Professional Practice.[9]

Rule 723 states:

A Member must ensure that any personal information or documents given to or gathered by the Member in the course of or in connection with the provision of financial planning services are securely retained and kept confidential.

Whilst less specific in its detail, the FASEA code also encompasses – through its standards on client best interests and record keeping – a number of requirements around confidentiality. The FPA’s guide to the FASEA code not only helps advisers understand the FASEA requirements (regularly criticised for being too non-specific[10]), it also contains practical tips on how advisers can meet their obligations.

It should be noted that advisers who are registered to provide tax advice – and are members of the Tax Practitioners Board (TPB) – have a higher obligation than other financial planners when disclosing information about their clients to third parties. This is because the Tax Practitioners Board’s (TPB) Code of Professional Conduct has more stringent requirements than the Privacy Act, in three specific ways[11]:

  • Unlike the Privacy Act, the TPB code applies to all information relating to a client’s affairs
  • Secondly, whilst privacy law only applies to disclosure of sensitive information – or personal information for a secondary purpose – the TPB Code requires advisers to obtain their client’s consent when disclosing any of their information to a third party
  • And thirdly, clients must take a positive step to give their consent.

Practical considerations for advisers

Whilst, for the most part, complying with the various requirements around confidentiality seems straightforward, there are a number of scenarios commonly encountered by financial advisers which require extra diligence.

A fundamental question to ask is who in your practice needs to have access to client data, and for what purpose. Does the office bookkeeper or receptionist need access to client files for example? If not, then access should be controlled accordingly.

Another consideration is the number of third parties (related or otherwise) which an adviser may interact with – and provide client data to – in the course of providing and executing financial advice. These include licensees, paraplanners, product providers, software providers, and other outsourced expertise, including tax, legal and estate planning.

As mentioned above, the client permission requirements around data sharing in these circumstances will differ in nature and stringency depending on the type of data shared, and the applicable professional code. (Readers should refer to the specific code(s) under which they operate for more detail around their own obligations).

The off-shoring of various services contributing to the advice value chain is also becoming more common – especially para planning and administrative support – and detail around this must be specifically called out in your privacy policy.

For planners advising both partners in a couple, the importance of keeping separate and independent records each individual client to whom financial advice has been provided (FPA Rule 7.25[12]) cannot be overstressed.

It cannot be assumed that couples wish to be completely transparent with one another about certain aspects of their lives. Sensitivities around previous and current relationships, inheritances and health issues need to be navigated cautiously.

Case Study – don’t assume couples want to share everything

Ms. A and her husband Mr B consulted a financial adviser, resulting in them each applying for life insurance. During the underwriting process, the life insurer contacted the adviser, requesting more information about a condition disclosed by Ms A. The adviser asked one of his staff to telephone Ms. A to discuss the additional requirements needed, but her phone was instead answered by her partner, Mr B. Keen to minimise any delays in the insurance going into force, the staff member explained to Mr B the condition that had been disclosed by Ms. A, and the additional information she therefore needed to provide to the insurer. Mr B had been unaware of the condition and Ms. A had not wanted him to know about it. The incident caused a great deal of strain on their relationship as a result.

With roughly 1 in 3 marriages ending in divorce in Australia[13] there is a reasonable probability that at any given time you will have a number of clients going through the process of separating. It goes without saying the complex process of separating finances – and possibly dealing with lawyers and competing financial claims – is much easier for advisers (and their clients) to manage when separate client records have been kept.

Online data storage: international cybercriminal gangs will store your client data for free

The digital and data revolution has accelerated over the last few years, and the old-fashioned paper files have largely given way to digitised client information. Hence another important thread in the fabric of consumer data protection is the management of cyber risks.

Cybercrime is one of the most pervasive threats facing Australia, estimated to cost us $29 billion per year[14]. Australian financial services businesses are key targets for data breaches, as the client, staff and commercial records held (including account details, tax and payroll data, passwords and other sensitive personal information) can be used to commit a variety of crimes, including tax fraud, identity theft and superannuation related frauds. (The superannuation early release scheme introduced during Covid coincided with a 323% increase in superannuation scams[15] reported to the ACCC in the year ended October 2020).

Small to medium businesses, many of whom would lack the sophisticated cyber protection resources, are especially frequent targets. In fact, a recent survey[16] of businesses by the Australian Cyber Security Centre found that half of sole trader/micro businesses – and a staggering three quarters of small to medium sized businesses – had suffered a suffered a cyber incident at some point.

For an example of how one large AFSL fell victim to a sophisticated cyber-crime, and their subsequent prosecution by ASIC.[17]

The good news is that there are practical steps financial advisers can take to significantly strengthen the protection of their client data.

Figure 1 below shows a handy 16-point checklist put together for sole trader financial advisers, with actionable tips across 5 areas: email systems; mobile technology; digital file storage; onsite data protection; and disaster recovery planning.[18]

A more detailed set of steps for businesses of all sizes can be found on the Australian government’s business.gov.au website[20]. A summary is shown below:

1. Back up your data

It’s essential that you backup your most important data and information regularly. Fortunately, backing up doesn’t generally cost much and is easy to do.

It’s a good idea to use multiple backup methods to help ensure the safety of your important files

2. Secure your devices and network

Set up firewalls, use anti-virus software and spam filters. Consider vulnerability points with any external systems you are connected to, including platforms.

 3.Encrypt important information

You can turn on network encryption through your router settings or by installing a virtual private network (VPN) solution on your device when using a public network.

4. Ensure you use multi-factor authentication (MFA)

Multi-factor authentication (MFA) is a verification security process that requires you to provide two or more proofs of your identity before you can access your account. For example, a system will require a password and a code sent to your mobile device before access is granted. Multi-factor authentication adds an additional layer of security to make it harder for attackers to gain access to your device or online accounts.

5. Manage passphrases

Passphrases can be easier to remember but harder for criminals to crack.

6. Monitor use of computer equipment and systems

Keep a record of all the computer equipment and software that your business uses. Make sure they are secure to prevent forbidden access.

7. Put policies in place to guide your staff and train them how to be safe online

A cyber security policy helps your staff to understand their responsibilities and what is acceptable when they use or share:

  • data
  • computers and devices
  • emails
  • internet sites

8. Get updates on the latest risks

Keep up with the latest scams and security risks to your business. The Australian Cyber Security Centre (ACSC) provides up-to-date information on cyber security issues and how to deal with them.

Conclusion

Successful adviser/client relationships are based on trusted conversations. The consumer protection mechanisms inherent in many day-to-day advice processes are not only an opportunity for advisers to honour this trust, but they can also help strengthen the public reputation of the entire financial advice profession.

Having already discussed the role of financial literacy and informed consent in protecting financial consumer interests in our first article in the series, this second article examines how the recording, sharing and storage of client data is another vital consumer protection pillar, the importance of which is reflected in the stringent obligations and serious penalties that apply.

As always, leading advisers see these obligations, and the protections they provide, as underpinning trusting and sustainable client relationships, and ultimately more viable financial planning businesses.

 

Take the quiz to earn 0.75 CPD hour:

 

Read the first article in the series: CPD: Financial consumer protection – part 1 – a practical framework for financial advisers

 

———-

References:
[1] https://www.fasea.gov.au/code-of-ethics/
[2] https://fpa.com.au/wp-content/uploads/2019/07/FPA-Understanding-the-FASEA-Code-of-Ethics-Version-1.pdf
[3] https://www.professionalplanner.com.au/2019/03/the-advice-is-good-the-recordkeeping-is-bad/
[4] https://www.legislation.gov.au/Details/F2016C00928
[5] ‘How we became our data: a genealogy of the informational person’, Colin Koop, University of Chicago Press, 2019.
[6] https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-quick-reference/
[7] https://www.innovationaus.com/govt-drops-ball-on-data-breach-penalty-reform/
[8] https://www.oaic.gov.au/privacy/your-privacy-rights/what-is-a-privacy-policy/
[9] https://fpa.com.au/professionalism/fpa-code-of-professional-practice/
[10]https://www.moneymanagement.com.au/features/editorial/fasea-code-uncertainty-must-end
[11] https://www.thefoldlegal.com.au/blog/tpb-ups-the-ante-on-privacy-consent
[12] https://fpa.com.au/professionalism/fpa-code-of-professional-practice/
[13] https://mccrindle.com.au/insights/blog/fast-facts-marriages-australia/
[14] https://www.cyber.gov.au/sites/default/files/2020-09/ACSC-Annual-Cyber-Threat-Report-2019-20.pdf
[15] https://www.moneymanagement.com.au/news/superannuation/323-increase-super-scam-reports
[16] Cyber Security and Australian Small Businesses, Results from the Australian Cyber Security Centre Small Business Survey, July 2020, Australian Government.
[17] Read our previously published case study.
[18] More detail on the individual technology solutions used by the checklist’s author can be found here.
[19] https://www.kitces.com/blog/ria-cybersecurity-checklist-pii-client-data-protection-plan-encrypted-email-storage/
[20] https://business.gov.au/online/cyber-security/how-to-protect-your-business-from-cyber-threats

You must be logged in to post or view comments.